From 847dd5d5099d51cc73285f1aa8223e599abad3d2 Mon Sep 17 00:00:00 2001 From: Himanshu Agarwal Date: Wed, 4 Oct 2017 14:15:04 +0530 Subject: [PATCH] qcacld-3.0: Add sanity check for vdev id to prevent OOB access Add sanity check for vdev id in wma_roam_event_callback() to prevent out of bound access of memory in wma_roam_better_ap_handler(). Change-Id: If3cf06a8eca767201fdd8b056bee6d773938a2a6 CRs-Fixed: 2119400 --- core/wma/src/wma_scan_roam.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/core/wma/src/wma_scan_roam.c b/core/wma/src/wma_scan_roam.c index 89a0f88c6c..5bd9782b87 100644 --- a/core/wma/src/wma_scan_roam.c +++ b/core/wma/src/wma_scan_roam.c @@ -5544,6 +5544,11 @@ int wma_roam_event_callback(WMA_HANDLE handle, uint8_t *event_buf, __func__, wmi_event->reason, wmi_event->notif, wmi_event->vdev_id, wmi_event->rssi); + if (wmi_event->vdev_id >= wma_handle->max_bssid) { + WMA_LOGE("Invalid vdev id from firmware"); + return -EINVAL; + } + DPTRACE(qdf_dp_trace_record_event(QDF_DP_TRACE_EVENT_RECORD, wmi_event->vdev_id, QDF_TRACE_DEFAULT_PDEV_ID, QDF_PROTO_TYPE_EVENT, QDF_ROAM_EVENTID));